The Hacker News — Cyber Security, Hacking, Technology News

The "Hack the Pentagon" bug bounty program by the United States Department of Defense (DoD) has been successful with more than 100 vulnerabilities uncovered by white hat hackers in Pentagon infrastructure.

In March, the Defense Department launched what it calls "the first cyber Bug Bounty Program in the history of the federal government," inviting hackers to take up the challenge of finding bugs in its networks and public faced websites that are registered under DoD.

Around 1,400 whitehat (ethical) hackers participated in the Hack the Pentagon program and were awarded up to $15,000 for disclosures of the most destructive vulnerabilities in DoDs networks, Defense Secretary Ashton Carter said at a technology forum on Friday.

"They are helping us to be more secure at a fraction of the cost," Carter said. "And in a way that enlists the brilliance of the white hatters, rather than waits to learn the lessons of the black hatters."

The Hack the Pentagon program, hosted on bug bounty platform HackerOne, was opened between April 18 and May 12, 2016. All participants were required to qualify a background check.

Although hackers and bug hunters were permitted to hack the agency's web properties, critical and highly sensitive systems of the Pentagon were out of bounds for the bounty program.

When the Hack the Pentagon was initially announced in March, Carter said he believed this effort would "strengthen our digital defenses and ultimately enhance our national security." And yes, it did.

Remember the last OAuth Flaw in Facebook, that allow an attacker to hijack any account without victim's interaction with any Facebook Application, was reported by white hat Hacker 'Nir Goldshlager'. After that Facebook security team fixed that issue using some minor changes.

Yesterday Goldshlager once again pwn Facebook OAuth mechanism by bypassing all those minor changes done by Facebook Team. He explains the complete Saga of hunting Facebook bug in a blog post.

As explained in last report on The hacker News, OAuth URL contains two parameters i.e. redirect_uri &next, and using Regex Protection (%23xxx!,%23/xxx,/) Facebook team tried to secure that after last patch.

In recent discovered technique hacker found that next parameter allow facebook.facebook.com domain as a valid option and multiple hash signs is now enough to bypass Regex Protection.

He use facebook.com/l.php file (used by Facebook to redirect users to external links) to redirect victims to his malicious Facebook application and then to his own server for storing token values, where tokens are the alternate access to any Facebook account without password.

But a warning message while redirecting ruin the show ! No worries, he found that 5 bytes of data in redirection URL is able to bypass this warning message.

Now at the last step, He Redirect the victim to external websites located in files.nirgoldshlager.com (attacker server) via malicious Facebook app created by him and victim's access_token will be logged there. So here we have the final POC that can hack any Facebook account by exploiting another Facebook OAuth bug.

For all browsers:https://www.facebook.com/connect/uiserver.php?app_id=220764691281998&next=https://facebook.facebook.com/%23/x/%23/l/ggggg%3btouch.facebook.com/apps/sdfsdsdsgs%23&display=page&fbconnect=1&method=permissions.request&response_type=tokenFor Firefox browser:https://www.facebook.com/dialog/permissions.request?app_id=220764691281998&display=page&next=https%3A%2F%2Ftouch.facebook.com%2F%2523%2521%2Fapps%2Ftestestestte%2F&response_type=token&perms=email&fbconnect=1 This bug was also reported to Facebook Security Team last week by Nir Goldshlager and patched now, if you are a hacker, we expect YOU to hack it again !

Note: To report your hacks or finding to 'The Hacker News' technical team, you can mail us at admin@thehackernews.com.

Computer hacking is truly an epidemic. It's not enough to apply the latest patches to your servers and workstations or otherwise defend yourself reactively. If you're in charge of your network's security, you must understand how hackers minds work and what tools they're using for their attacks.

Also one of the best ways to protect yourself is to think like a hacker. Evil hackers aren't just a threat to national security. They're a threat to your privacy and even your livelihood. Your personal information? Nothing more than a commodity in their billion-dollar black-market enterprise.

There's no product that can prevent hackers from plastering passwords and usernames on the Web. But some white hat hackers are not only chasing these cybercriminals but also thwarting the attacks before they can be launched.

Vulnerabilities appear in your environment every day. For example, everyone wants to use their tablet or smart phone to conduct business. And it makes sense: phones are portable, powerful, connected BUT AS WELL AS MOST VULNERABLE. You are exposed to new threats every day.

Helping your organization stay ahead does take effort. But remember, it “takes one to know one” You need to think like the bad guys. What are the assets that are valuable? How would you go after them? Learning about common attack methods and commonly attacked assets makes you realize that hackers know that the way to valuable data is through the people that handle the data.

Harvard's Carr Center for Human Rights Policy website (www.hks.harvard.edu/cchrp/) was hacked last week and then silently fixed by the administrator without giving Reply/Credit to the Whitehat Hacker who reported the vulnerability. The Hack incident was performed in 3 Phases as described below:

Phase 1: A Hacker , with nickname "FastFive" posted a few sql injection vulnerable Educational sites on a famous Hacking Forum last week which included the SQLi vulnerable link for the Harvard Carr Center for Human Rights Policy website, as you can see in the list in the above screenshot taken by me.

Phase 2: Almost 100's of Hackers have seen the post from "FastFive" and they got some juicy information for their next targets. One of them named, "Vansh" successfully exploit the Harvard's site and extracted the database onto his computer. He Found the username and Password from the table and tried to login on the Admin access panel location. Yes, he was logged in with password "DOG". We have confirmed the User:Password validity before posting this news and below is the screenshot posted by the Hackers. For security reasons we are not disclosing any databases or usernames, but why are we disclosing the password ? It's because, using a three character password by the administration of one of the biggest universities makes me do so. I think even a brute force tool will take half second to crack such a weak password.

Phase 3: Because Vansh is a Whitehat hacker he decided to inform the Administrator without disclosing the Hack in public before the patch. He mailed the admins and was waiting for the reply from the last 2-3 Days. But today he saw that they fixed the vulnerability in the site silently without giving credit or a simple Thank you reply to this Hacker who informed them and revoked the access to all external IP's.

So, finally this NO REPLY made him inform The Hacker News and We educate you that Never use "DOG" as your Password. Happy Hunting !